According to separate investigations with Google Cloud and security company Wiz, North Korean hacking groups use the temptation of freelances that work to access cloud systems and steal millions of dollars worth of cryptocurrency.
Google Cloud’s H2 2025 Cloud Threats Horizons Report After contacting employees via social media, Google Threat Intelligence Group has revealed that it is “actively tracking” UNC4899, a North Korean hacking unit that has successfully hacked the two companies.
In both cases, UNC4899 provides employee tasks, resulting in the employee running malware on the workstation, allowing the hacking group to establish a connection between the Command and Control Center and the target company’s cloud-based systems.
As a result, UNC4899 was able to explore the victim’s cloud environment, obtain qualifications, and ultimately identify the host responsible for processing crypto transactions.
Each separate incident targeted different (unnamed) companies and different cloud services (Google Cloud and AWS), both of which resulted in the theft of “millions of cryptocurrencies.”
The use of job lures by North Korean hackers is currently “very common and widespread. Decryption.
“They frequently posed as recruitment managers, journalists, subject matter experts or university professors when contacting Target,” he says, often communicating several times to build relationships with Target.
Act immediately
Collier explains that North Korean threat actors were one of the first to quickly adopt new technologies such as AI, creating “more persuasive trust emails” and using them to write malicious scripts.
Additionally, the cloud security company Wiz is reporting on the UNC4899 exploit. This notes that the group is also mentioned by the names Traderraitor, Jade Wrey and Slow Pisces.
Trader said it represents a specific type of threat activity rather than a specific group, and that the North Korean aid entities Lazarus Group, APT38, Bluenoroff, and Stardust Chollima are behind the typical Trader Tradertraitor Exploits.
in The analysis Of UNC4899/Tradertraitor, Wiz is paying attention to the campaign that began in 2020 and from the start, responsible hacking groups use job lures to work together employees to download malicious cryptographic apps built on JavaScript and JavaScript. node.js Uses an electronic framework.
According to Wiz, which includes Lazarus Group, the group’s campaign from 2020 to 2022 “successfully managed multiple organizations.” $620 million Violation of Axie Infinity’s Ronin network.
Trader’s threat activity then evolved in 2023, incorporating the use of malicious open source code, but in 2024 it doubled the fake job offers targeted primarily for exchanges.
Most notably, the trader trader group was responsible $305 million hack Japan’s DMM Bitcoin and the $1.5 billion Bit Hack in the second half of 2024 exchange It was released in February of this year.
Target the cloud
Similar to the exploits highlighted by Google, these hacks target cloud systems to varying degrees, and according to Wiz, such systems represent critical cryptographic vulnerabilities.
“Tradertrator means that you have data and therefore money because where it is. Decryption. “This is especially true in the crypto industry where companies are likely to be newer and building infrastructure in a cloud-first way.”
READ explained that targeting cloud technology can help hacking groups impact a wide range of targets and increase their chances of making more money.
The groups are large corporations and “estimate $1.6 billion of cryptocurrencies stolen so far in 2025,” he said, adding that trader traitors and associated groups have a workforce “of probably thousands of people.”
“It’s difficult to come up with a particular number, but it’s clear that the North Korean regime is investing important resources in these capabilities.”
Ultimately, such an investment allowed North Korea to become a leader in crypto hacking at TRM Lab in February Report Last year, we concluded that the country accounted for 35% of all stolen funds.
Experts said all available signs suggest that the country is likely to remain a fixture for crypto-related hacking, especially given the capabilities of operatives developing new technologies.
“North Korea’s threat actors are the dynamic and agile forces that continuously adapt to meet the administration’s strategic and financial goals,” said Google’s Collier.
Repeating the increasing use of AI by North Korean hackers, Collier explained that such use would allow for “proliferation of forces” and allow hackers to expand their exploits.
“There is no evidence that they are slowing down and we expect this expansion to continue,” he said.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
